disable sa lifetime KB?

Unanswered Question
Apr 30th, 2009

On the ASAs (8.x) when i creare a crypto map it automagically adds:

set security-association lifetime kilobytes 4608000

I have been able to change the number of kilobytes but have not been able to remove this setting entirely for tunnels where we do not want to have a lifetime based on kilobytes but rather only on time.

How do I remove this?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
John Blakley Thu, 04/30/2009 - 10:38

I don't have the same problem you are.

Try this:

no crypt map set security-association life kil 4608000

crypt map set security-association lifetime seconds

It may not let you do this while the tunnel is established though.

HTH,

John

slug420 Thu, 04/30/2009 - 10:55

I tried that...it didnt go anywhere. That is actually what they list in the documentation as a way to remove this setting...doesnt seem to work though.

John Blakley Thu, 04/30/2009 - 11:01

I was able to reproduce it.

Type:

no ipsec security-association lifetime kilo

It sets a default, and it should remove it from your crypto map.

John

slug420 Thu, 04/30/2009 - 11:06

im lost...did it set it to the default (this is what I found) or did it remove it from the crypto map (this did not happen for me)

John Blakley Thu, 04/30/2009 - 11:08

I removed my crypto map and recreated another one:

I had two lifetime settings in my crypto map after setting it, but I was able to remove the one that wasn't the default.

So if you set your lifetime to seconds, you should be able to remove you kb one with "no crypt map security-association...."

John

slug420 Thu, 04/30/2009 - 11:15

interesting, was this in 8.x? I will have to try that.

Maybe my lifetime in seconds was still at the default setting when i was trying to remove the kb one...

John Blakley Thu, 04/30/2009 - 11:17

When I run the ipsec security.... it automatically adds it to my existing crypto maps. I still couldn't remove it from the crypto map with "no crypto...", but I could remove it with "no ipsec security...."

And I'm running 8.0(3) on mine.

HTH,

John

Richard Burts Thu, 04/30/2009 - 10:42

Chris

I do not believe that there is an option to remove the kilobits lifetime. You can set it to a very high value (2147483647 K on my ASA) to reduce the chance that it will be exceeded. But I do not believe that you can remove it.

It is a basic part of the specification of IPSec. The thought behind it is similar to the thought behind the time based lifetime: the longer the Security Association uses the same keys (or the more data is transmitted using the same keys) the better chance some intruder has of breaking the keys. Why would you want to remove this protection.

HTH

Rick

slug420 Thu, 04/30/2009 - 11:02

I am pretty sure 6.x did not have this enabled by default and as far as I know there were no security compromises as a result. I think setting either the time or the KB is sufficient security.

I just built a tunnel with someone and they had a preference to not use the KB lifetime and only use the time lifetime. I had no problem with this since i think the KB lifetime is not necessary but I was unable to meet their requested settings and had to make them add a KB lifetime.

Also worth noting the KB lifetime set by default is greater than the maximum KB lifetime on checkpoint firewalls...so if you are building a VPN to a CP you have to change this setting....

Generally speaking I would rather not have something set if I dont know why it is needed and if its value was arbitrarily chosen....just one more thing to cause problems.

John Blakley Thu, 04/30/2009 - 11:03

Oh, and to change your default, you can type:

ipsec security-association lifetime seconds

HTH,

John

John Blakley Thu, 04/30/2009 - 11:15

Try this:

no ipsec security-association lifetime kilobytes

That should remove it from your crypto map and then you can specify in your map what you want.

Let me know, I'm curious =)

John

Richard Burts Thu, 04/30/2009 - 18:14

Chris

You and John are discussing whether you can get the statement to not show up in the config file. Given the Cisco practice that default values generally do not show up in the running config, making it not show in the running config is not necessarily the same as not having it active.

I have never done a show crypto map that there was not a crypto lifetime in kilobytes. I do not believe that Cisco gives you the option to disable lifetime in kilobytes.

HTH

Rick

Actions

This Discussion